From 0e9f8844a0a59b23cb67201ba9cd3d1fcbbb91a0 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Tue, 18 May 2010 20:30:50 -0300 Subject: Adding Ubuntu_lucid.erb --- templates/sshd_config/Ubuntu_lucid.erb | 192 +++++++++++++++++++++++++++++++++ 1 file changed, 192 insertions(+) create mode 100644 templates/sshd_config/Ubuntu_lucid.erb (limited to 'templates/sshd_config/Ubuntu_lucid.erb') diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb new file mode 100644 index 0000000..5f7afb4 --- /dev/null +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -0,0 +1,192 @@ +# Package generated configuration file +# See the sshd(8) manpage for details + +<%- unless sshd_head_additional_options.to_s.empty? then %> +<%= sshd_head_additional_options %> +<%- end %> + +# What ports, IPs and protocols we listen for +<%- unless sshd_port.to_s.empty? then -%> +<%- if sshd_port.to_s == 'off' then -%> +#Port -- disabled by puppet +<% else -%> +Port <%= sshd_port -%> +<% end -%> +<%- else -%> +Port 22 +<%- end -%> + +# Use these options to restrict which interfaces/protocols sshd will bind to +<% for address in sshd_listen_address -%> +ListenAddress <%= address %> +<% end -%> +Protocol 2 +# HostKeys for protocol version 2 +HostKey /etc/ssh/ssh_host_rsa_key +HostKey /etc/ssh/ssh_host_dsa_key +#Privilege Separation is turned on for security +UsePrivilegeSeparation yes + +# ...but breaks Pam auth via kbdint, so we have to turn it off +# Use PAM authentication via keyboard-interactive so PAM modules can +# properly interface with the user (off due to PrivSep) +#PAMAuthenticationViaKbdInt no +# Lifetime and size of ephemeral version 1 server key +KeyRegenerationInterval 3600 +ServerKeyBits 768 + +# Logging +SyslogFacility AUTH +LogLevel INFO + +# Authentication: +LoginGraceTime 600 +<%- unless sshd_permit_root_login.to_s.empty? then -%> +PermitRootLogin <%= sshd_permit_root_login -%> +<%- else -%> +PermitRootLogin without-password +<%- end -%> + +<%- if sshd_strict_modes.to_s == 'yes' then -%> +StrictModes yes +<%- else -%> +StrictModes no +<%- end -%> + +<%- if sshd_rsa_authentication.to_s == 'yes' then -%> +RSAAuthentication yes +<%- else -%> +RSAAuthentication no +<%- end -%> + +<%- if sshd_pubkey_authentication.to_s == 'yes' then -%> +PubkeyAuthentication yes +<%- else -%> +PubkeyAuthentication no +<%- end -%> + +<%- unless sshd_authorized_keys_file.to_s.empty? then -%> +AuthorizedKeysFile <%= sshd_authorized_keys_file %> +<%- else -%> +AuthorizedKeysFile %h/.ssh/authorized_keys +<%- end -%> + +# For this to work you will also need host keys in /etc/ssh_known_hosts +<%- if sshd_rhosts_rsa_authentication.to_s == 'yes' then -%> +RhostsRSAAuthentication yes +<%- else -%> +RhostsRSAAuthentication no +<% end -%> + +# Don't read the user's ~/.rhosts and ~/.shosts files +<%- if sshd_ignore_rhosts.to_s == 'yes' then -%> +IgnoreRhosts yes +<%- else -%> +IgnoreRhosts no +<% end -%> + +# similar for protocol version 2 +<%- if sshd_hostbased_authentication.to_s == 'yes' then -%> +HostbasedAuthentication yes +<%- else -%> +HostbasedAuthentication no +<% end -%> + +# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication +#IgnoreUserKnownHosts yes + +# To enable empty passwords, change to yes (NOT RECOMMENDED) +<%- if sshd_permit_empty_passwords.to_s == 'yes' then -%> +PermitEmptyPasswords yes +<% else -%> +PermitEmptyPasswords no +<% end -%> + +# Change to no to disable s/key passwords +<%- if sshd_challenge_response_authentication.to_s == 'yes' then -%> +ChallengeResponseAuthentication yes +<%- else -%> +ChallengeResponseAuthentication no +<%- end -%> + +# To disable tunneled clear text passwords, change to no here! +<%- if sshd_password_authentication.to_s == 'yes' then -%> +PasswordAuthentication yes +<%- else -%> +PasswordAuthentication no +<%- end -%> + +# To change Kerberos options +#KerberosAuthentication no +#KerberosOrLocalPasswd yes +#AFSTokenPassing no +#KerberosTicketCleanup no + +# Kerberos TGT Passing does only work with the AFS kaserver +#KerberosTgtPassing yes + +<%- if sshd_x11_forwarding.to_s == 'yes' then -%> +X11Forwarding yes +<%- else -%> +X11Forwarding no +<%- end -%> +X11DisplayOffset 10 +KeepAlive yes +#UseLogin no + +#MaxStartups 10:30:60 +#Banner /etc/issue.net +#ReverseMappingCheck yes + +<%- if sshd_sftp_subsystem.to_s.empty? then %> +Subsystem sftp /usr/lib/openssh/sftp-server +<%- else %> +Subsystem sftp <%= sshd_sftp_subsystem %> +<%- end %> + +# Set this to 'yes' to enable PAM authentication, account processing, +# and session processing. If this is enabled, PAM authentication will +# be allowed through the ChallengeResponseAuthentication and +# PasswordAuthentication. Depending on your PAM configuration, +# PAM authentication via ChallengeResponseAuthentication may bypass +# the setting of "PermitRootLogin without-password". +# If you just want the PAM account and session checks to run without +# PAM authentication, then enable this but set PasswordAuthentication +# and ChallengeResponseAuthentication to 'no'. +<%- if sshd_use_pam.to_s == 'yes' then -%> +UsePAM yes +<%- else -%> +UsePAM no +<%- end -%> + +HostbasedUsesNameFromPacketOnly yes + +<%- if sshd_tcp_forwarding.to_s == 'yes' then -%> +AllowTcpForwarding yes +<%- else -%> +AllowTcpForwarding no +<%- end -%> + +<%- if sshd_agent_forwarding.to_s == 'yes' then -%> +AllowAgentForwarding yes +<%- else -%> +AllowAgentForwarding no +<%- end -%> + +ChallengeResponseAuthentication no + +<%- unless sshd_allowed_users.to_s.empty? then -%> +AllowUsers <%= sshd_allowed_users -%> +<%- end -%> +<%- unless sshd_allowed_groups.to_s.empty? then %> +AllowGroups <%= sshd_allowed_groups %> +<%- end %> + +<%- if sshd_print_motd.to_s == 'no' then -%> +PrintMotd no +<%- end -%> + +<%- unless sshd_tail_additional_options.to_s.empty? then %> +<%= sshd_tail_additional_options %> +<%- end %> + -- cgit v1.2.3 From 85880085ff2e1f49b5888865a63f60f307185ab8 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sat, 19 Feb 2011 18:48:59 -0200 Subject: Updating lucid template with new ssh port scheme --- templates/sshd_config/Ubuntu_lucid.erb | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'templates/sshd_config/Ubuntu_lucid.erb') diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index 5f7afb4..d5c9c31 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -6,14 +6,12 @@ <%- end %> # What ports, IPs and protocols we listen for -<%- unless sshd_port.to_s.empty? then -%> -<%- if sshd_port.to_s == 'off' then -%> +<%- sshd_ports.each do |port| -%> +<%- if port.to_s == 'off' then -%> #Port -- disabled by puppet <% else -%> -Port <%= sshd_port -%> +Port <%= port %> <% end -%> -<%- else -%> -Port 22 <%- end -%> # Use these options to restrict which interfaces/protocols sshd will bind to -- cgit v1.2.3 From 75105d66d89671943a1eb1f37573b4e63dd33919 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Wed, 23 Feb 2011 14:40:02 -0300 Subject: Adding sshd_use_strong_ciphers to all sshd_config templates --- templates/sshd_config/Ubuntu_lucid.erb | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'templates/sshd_config/Ubuntu_lucid.erb') diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index d5c9c31..904a409 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -188,3 +188,7 @@ PrintMotd no <%= sshd_tail_additional_options %> <%- end %> +<%- if sshd_use_strong_ciphers.to_s == 'yes' then -%> +Ciphers aes128-ctr +MACs hmac-sha1 +<%- end %> -- cgit v1.2.3 From 57d8883d485baa09a0841d629fe66406611ca261 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Wed, 13 Jul 2011 18:41:59 -0300 Subject: Removing sshd_use_strong_ciphers parameter as sshd_hardened_ssl does the job --- templates/sshd_config/Ubuntu_lucid.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'templates/sshd_config/Ubuntu_lucid.erb') diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index 904a409..1c44c7b 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -188,7 +188,7 @@ PrintMotd no <%= sshd_tail_additional_options %> <%- end %> -<%- if sshd_use_strong_ciphers.to_s == 'yes' then -%> +<%- if sshd_hardened_ssl.to_s == 'yes' then -%> Ciphers aes128-ctr MACs hmac-sha1 <%- end %> -- cgit v1.2.3 From 0e9e1b6f2c5dca80c946f7944d47f1d28ba76920 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Thu, 21 Jul 2011 11:01:33 -0300 Subject: Adding PrintMotd parameter to all templates and setting per-distro default value --- templates/sshd_config/Ubuntu_lucid.erb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'templates/sshd_config/Ubuntu_lucid.erb') diff --git a/templates/sshd_config/Ubuntu_lucid.erb b/templates/sshd_config/Ubuntu_lucid.erb index 1c44c7b..304558b 100644 --- a/templates/sshd_config/Ubuntu_lucid.erb +++ b/templates/sshd_config/Ubuntu_lucid.erb @@ -180,9 +180,7 @@ AllowUsers <%= sshd_allowed_users -%> AllowGroups <%= sshd_allowed_groups %> <%- end %> -<%- if sshd_print_motd.to_s == 'no' then -%> -PrintMotd no -<%- end -%> +PrintMotd <%= sshd_print_motd %> <%- unless sshd_tail_additional_options.to_s.empty? then %> <%= sshd_tail_additional_options %> -- cgit v1.2.3